Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Rambo Tribble writes: "In a case of 'live by the sword, die by the sword,' researchers have used the now-infamous Heartlbeed bug in OpenSSL to gain access to black-hat forums. A French researcher named Steven K. is quoted as saying, 'The potential of this vulnerability affecting black-hat services is just enormous.' Reportedly, the criminal-minded sites Darkode and Damagelab have already been compromised."
In related news, U.S. Cybersecurity Coordinator Michael Daniel posted an article at Whitehouse.gov yesterday reaffirming that the U.S. government had no prior knowledge of Heartbleed. He said, 'We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'

The point was specifically that the guys who highjack e-mail accounts to send viagra offer e-mails all over the net are known to reside on phoney porn sites sitting there like fishermen waiting for some sucker to click their targets which are usually phoney links in the first place. They are the ones who were quick to exploit the Openssl hole and do man in the middle interception of encrypted passwords.

Believe it or not there are still phone calls being made by people claiming to be from Microsoft telling y

I wonder why they didn't patch their system.Besides the trivial answer that they are incompetent script kiddies, i came up with these:1 - the site is abandoned2 - maybe only those who can exploit heartbleed can gain access to the forum (tests for expertise and maintains anonymity)

Often, this is the case for hosts that the intruders want to keep around longer than a few days. Once they've taken good hold of a host, they tend to close off holes that they know about, so others can't get in the same way they did. You often find not just root kits, but also patches rolled out and workarounds to mitigate problems the hackers can't fix without alerting the admin of the box. This doesn't always happen, but most forensics reports I've read and cases I've witnessed myself, hackers tried to cl

Incompetent if they didn't find heartbleed [they are supposed to protect our infrastructure].

And massively irresponsible if they knew and didn't disclose it.

The overall damage is 1,000,000 times whatever the NSA might have gained as a penetration weapon in the arsenal. If they knew and didn't disclose, this is tantamount to doing more damage to U.S. [and world] interests than any cyber-criminal/terrorist/nation-state the NSA might hope to catch.

If you look at NSA's TAO division [or some others], they specialize in looking for such zero days. They have used many zero days that are a lot harder to find/utilize than this one. They have 30,000 people working for them. Even if only 1,000 are looking for zero days full time, this is a lot of manpower to throw at the problem

Odds are pretty high that the NSA had, indeed, found the bug. But, they decided they had a shiny new toy for their arsenal. They didn't see the bigger picture that this vulnerabi

If I were the NSA, I would have specifically targeted regular code review at things like OpenSSL. It's the best vector around. All of these denials just tell me high level government are idiots and don't understand the issue. I don't think its vaulting the NSA to mythical status to suggest they have known about the issue since shortly after the code was committed- and they didn't tell anyone. Furthermore, I don't believe it's far fetched to believe foreign governments were aware of the issue as well

I don't expect all code to be bug free. I'm a programmer with 40+ years experience. I looked at the patch diffs, direct from the upstream repo. The bug was missing a simple bounds check on the length of a payload. Sorry to say, but, the original code, stylistically, was newbie quality. If I had been the reviewer, I would have required that it be cleaned up [not even looking for a vuln]. Doing so might have made the bug easier to see [and may have prevented the bloodshed].

Which is of course why the denial. Does anyone actually believe that denial, not for a second. The US government and it's agencies have all already be caught out repeatedly lying about everything they do, the only things they don't lie about are the ones the keep secret. Now if one were to take those lies into court and count each and every individual criminal action and each and every individual affected and then lied about, you are talking about hundreds of millions even billions of fully automated compu

I agree; the psychopathy evident here is a group that is more interested in gaining more power, rather than following their anecdotally proclaimed motivation in protecting America.

They let America's infrastructure be the bait. Just like in their pervasive spying they likely came across a lot of banking irregularities, and crimes -- which they did nothing about. For instance if they noticed a lot of this "metadata" connecting banks with Drug Cartels and Terrorists Cells -- it appears no banks have been harme

"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nationâ(TM)s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks."

I'm troubled by the mention of "intellectual property" in Daniel's post. I'd understand it if he restricted his description to theft of military or intelligence secrets, but does this vagu

Those fuckers don't need our shit to be secure at all. They don't want it to be so either. They don't even use the same networks we do for secure coms. Hell, that's what the Number Stations are all about. [wikipedia.org] Every once in a while my scanner will catch one of my favorite broadcasts: Old school, just a monotonous series of digits. I'll fall asleep listening to them droning on and on -- no doubt only decipherable by one-time pads. You know, because public key crypto just moves the key-sharing problem of authentication around -- The endpoints still have to exchange the public keys, just like they'd have to exchange one-time pads (hundreds of Gigs of pad can fit in a micro SD card now). The CA system just moves the authentication problem from "which is their public key" to "which CA are they using" and adds: "Which CA can be trusted?" (none).

Look, if it was so damn important that the SSL systems were secure then the VERY BROKEN CA system would have been fixed a long time ago. As it stands now it's just a collection of single points of failure and any one compromised CA brings the whole thing down (see: Diginotar Debacle). SSL has NEVER provided security, ever. At least with pre-arranged / pre-shared keys if you do manage to transmit the key out of band (in person, at your bank, etc) no one can ever MITM the connection. All TLS / PKI did was ensure that all SSL connections had a potential MITM via the CA. No competent security researcher would design a system like that. You have American, Iranian, Turkish, Chinese, Russian, and etc. root certs trusted in your browser. If they compromise any router between you and your destination they can MITM the connection, you'll see a big green bar too. Even if you did examine the cert chain, you'd have no way to know if the endpoint switched to a new CA, since any CA can create any cert for any domain, you have to trust ALL of them.

Web security is a laughing stock, and any "black-hat" group that was relying on SSL for any coms is probably just a CIA front, because EVERYONE with any snap has known that shit is not safe since its inception. [youtube.com] Would YOU trust a CA to sign certs if they also sell information interception services to governments? Why did you then? We already have accounts and pre-arranged secrets with all the places we need secure so just take your existing HTTP-Auth proof of knowledge hash [wikipedia.org] and feed it to the damn stream cipher and you're done. Well, and remove the basic auth bullshit, that's not needed, since we have cookies and web forms already. Point being: It's trivial to fix the CA system, but they don't do so, thus it's apparent that no government wants this shit to be secure or we wouldn't have the CA system, and they all wouldn't be able to spy on us. If you ask me that's collusion with the enemy against the citizens: Treason.

So speaks the man who has never run his own CA. It's not that hard provided you don't want to sign absolutely anyone's certificate (but just ones you know) and provided you're not trying to be trusted by major browsers by default. Not using the PKI to drive commerce and only supporting a few specific clients? You can go entirely private.